Monday, April 28, 2014

At the end of January last year, French power company EDF advised the public that they were seeing a significant rise in the number of phishing complaints they were receiving from their customers. An example story in English from The Connexion: EDF customers hit in 'phishing' scam, says that an EDF spokesperson said beginning in August of 2012 they were seeing 20,000 customers per month complaining about the phish and that in January 2013 it had risen to as many as 40,000 customers per month. As many as 200 to 300 new phishing sites per month were being created at that time.

This week Malcovery is noticing that the EDF phish are back, with a twist! The current EDF phish are asking for documents with an enormous value for identity theft and are targeting many different French banks with the information. Here's what a currently live phishing site looks like:

The most interesting part of the phish, however, is what comes next! The Phishers then tell them that in order to prove they are really in charge of this account, they must upload at least two forms of proof of identity!

Identity Card

Credit Card

A copy of a Bank statement

An invoice proving the address

Whichever documents I attempted to upload, it kept insisting that I needed to upload additional documents.

Although this case is most accurately described as an EDF phish, there are actually thirteen targeted banks, and an unlimited number of forms of identity theft that could occur if some victim were to provide all of the requested information. Just another example of how the phishers use FEAR (an unpaid Utility bill that could result in Termination of Service) to steal our credit card information!

Now we know ... more anyway ... Two Ukrainian members of the Jabber Zeus gang stood in federal court in Omaha, Nebraska last week to plead "Not Guilty" after being extradicted from the UK. Yuriy Konovalenko and Yevhen Kulibaba are among the nine people listed in the indictments that have been sealed since August of 2012. The list of defendents is:

Yvacheslav Igorevich Penchukov, AKA tank, AKA father

Ivan Viktorvich Klepikov, AKA petr0vich, AKA nowhere

Alexey Dmitrievich Bron, AKA thehead

Alexey Tikonov, AKA kusanagi

Yevhen Kulibaba, AKA jonni

Yuriy Konovalenko, AKA jtk0

John Doe #1, AKA lucky12345

John Doe #2, AKA aqua

John Doe #3, AKA mricq

DOJ is still seeking four of the named criminals, and still has not publicly acknowledged the names of the three John Does. If you have information on these, please reach out to the FBI!

Tank == Vyacheslav Igorevich Penchukov, 32, of Ukraine, who allegedly coordinated the exchange of stolen banking credentials and money mules and received alerts once a bank account had been compromised.

Petr0vich == Ivan Viktorvich Klepikov, 30, of Ukraine, the alleged systems administrator who handled the technical aspects of the criminal scheme and also received alerts once a bank account had been compromised.

TheHead == Alexey Dmitrievich Bron, 26, of Ukraine, the alleged financial manager of the criminal operations who managed the transfer of money through an online money system known as Webmoney.

Kusunagi== Alexey Tikonov, of Russia, an alleged coder or developer who assisted the criminal enterprise by developing new codes to compromise banking systems.

Although jonni is only now coming to trial in the United States, the Metropolitan Police of London arrested Kulibaba and his wife Karina Kostromina back in October of 2011, as we learned from KrebsOnSecurity in his article ZeuS Trojan Gang Faces Justice. Yuriy Konovalenko, AKA Pavel Klikov, was also in custody in the UK and was "due to be sentenced" according to Krebs' article.

Many of the crimes covered in this indictment are well known to us already, largely due to the work of journalist Brian Krebs. While Krebs was still at the Washington Post writing his Security Fix column, he made Zeus a household name.

Selected Victims:

Bank of America

Bullitt County Kentucky - Security Fix, Brian Krebs, July 2009. -- Bullitt County had $415,000 stolen from their accounts after being infected by Zeus.

Doll Distributing of Des Moines, Iowa

First Federal Savings Bank of Elizabeth Town, Kentucky

Franciscan Sisters of Chicago, (Homewood, Illinois)

Husker AG, LLC of Plainview, Nebraska

Key Bank of Sylvania, Ohio

ODAT LLC, d/b/a Air Treatment Company

Parago, Inc of Lewisville, TX

Salisbury Bank & Trust of Salisbury, MA

Town of Egremont, Mass

Union Bank and Trust of Lincoln, Nebraska

Union Bankshares of Ruther Glen, VA

United Dairy, Inc of Martins Ferry, OH

The version of Zeus at the heart of this investigation communicated stolen credentials to a server located on the IP address 66.199.248.195 at Ezzi.net in Brooklyn, NY. An FBI Agent interviewed Mohammed Salim in September 2009, who confirmed that the server in question, called the Incomeet server, was custom built for a Russian company "IP-Server Ltd" in Moscow, whose POC was "Alexey S."
Extensive chat logs were recovered from the server with four separate search warrants - September 28, 2009, December 9, 2009, March 17, 2010, and May 21, 2010. Those web servers showed the criminals discussing their conspiracy, including many instances of the criminals trading login credentials for bank accounts.

Those chats also showed that the criminals closely follow Brian Krebs! Tank and Aqua are shown discussing his Bullitt County article linked above and saying "They laid out the entire scheme! I'm really pissed! They exposed the entire deal!"

Doll Distributing had $59,222 stolen from them in two occasions. One of those wire transfers went to "Pandora Service, LLC" and to "Kodash Consulting." FBI Agents interviewed Heidi Nelson and Renee Michelli, the proprietors of those organizations who had believed they were acting as "Financial agents" for a Russian software company. In other words, they were money mules.

All of the victims named above were discussed in the chat logs by the criminals charged in this case.

I especially enjoyed learning how TANK was identified by name. In the chat, on July 22, 2009, he announced that his daughter, Miloslava, had been born and gave her birth weight. A records search of Ukrainian birth records only showed one girl named Miloslava with that birth weight born on that day. Her father was Vyacheslav Igorevich Penchokov. This was enough to seize the computers from Tank's home, which confirmed it was the same person!

Petr0vich was discovered because of mentions of the email address "theklutch@gmail.com" in the chat logs. Gmail was subpoenaed to get records for this email account, which showed "92.242.127.198" had been used to log in to that email address at least 790 times. The secondary email for that account, "petr0vich@ua.fm", was given when the account was created November 24, 2004. Several other addresses were used to login to both the petr0vich jabber account on the Incomeet server and the Gmail address, including 209.160.22.135. Similar techniques were then used to find the computers located at those IP addresses. Ivan Viktorovich Klepikov was found to be living in Donetsk, Ukraine.

TheHead stated his real name in the chat, and gave his gmail account as "alexey.bron@gmail.com". He was telling the truth.

Kusunagi gave a phone number in the chat, and found that phone number on a public webpage where Alexey Tikonov's real name and contact information were given. He lived in Tomsk, Russia. He also used his Kusanagi identity to post videos where WHOIS information related to those videos location confirmed his location.

Jonni and Jtk0 were identified by Detective Sergeant Simon Williams of the Metropolitan Police of London.

Friday, April 11, 2014

Like most criminals, or let's face it, most programmers, Phishers are lazy. They like to be able to create one website and have it live for an extended period of time. Unfortunately for them, victim companies either smash new phishing sites as fast as they can, or they hire companies to do it for them. At Malcovery Security we concentrate on INTELLIGENCE rather than takedown, so our focus is in understanding what the sites can teach us about the criminal behind the attack, and how the many attacks against your brand are related to each other and to attacks against other brands.

A friend of ours shared a link to a website today that was imitating Centra, a convenience and grocery chain throughout Ireland.

The accompanying spam message promises that they will pay us 150 Euros just for taking their survey!

For the convenience of the consumer, rather than having to wait for a check (cheque) in the mail, you can just enter all of your Credit Card information, and your Date of Birth and some other personal details, and they'll deposit the money right into your credit account!

As we looked at the log files, we found an interesting fact. NONE of the more than 900 visitors to the website had visited the site DIRECTLY. They were all being referred from other URLs. This is our indicator that the spam messages did NOT contain a link to the domain shown above. Instead, they were pointing at websites with Chinese domain names!

Since most of the time when I'm in the UK I am running dawn to dusk in meetings, Tesco is the only store I've actually ever shopped in, since there is one on every street corner in London. The phishers have correctly updated their currency to use Pounds instead of Euros: "TESCO Supermarkets will add £150 credit to your account just for taking part in our quick survey." but other than that, this is the same phish!

And, as with the other, the actual advertised URL from the spam campaign is hosted in China, and simply updates the content with a Frame SRC = .

Remnants in the logs make it seem likely that this phisher has also targeted Woolworths (many 404 messages in the very early part of the phish for paths with /wps/woolworths/ in the path. Very likely that this is a throw-back to the Woolworths phish from 2012. (Woolworths is a food chain in Australia - they got so many of these scams that they did television news announcements warning about it - see for example: Scam Alert (a Current Affair November 2012). Those spam messages looked like this:

Subject: Customer Satisfaction Survey! Win 150$

Congratulations!

You have been selected by Woolworths Online Department to take part in our quick and easy reward survey. In return we will credit $150 to your account - Just for your time!

Helping us better understand how our members feel, benefits everyone.

With the information collected we can decide to direct a number of changes to improve and expand our services. The information you provide us is all non-sensitive and anonymous. No part of it is handed down to any third party groups. It will be stored in our secure database for maximum of 3 days while we process the results of this nationwide survey.

Thursday, April 10, 2014

Today the U.S. government unsealed its indictment against Fifty-Five members of the Carder.su carding forum. We wrote about Carder.su before on this blog, back in March 2009 when a rival gang was trying to call attention to Carder.su by sending out spam advertising the site. (See: Carders do battle through spam - carder.su. No wonder they were jealous! Today's indictment shows the Carder.su guys performed over $50 Million in fraudulent charges!

Named in the indictment were 39 individuals, all charged with "General Allegations" called:

Count One (Participate in a Racketeer Influenced Corrupt Organization [RICO])
and Count Two (Conspiracy to Engage in a Racketeer Influenced Corrupt Organization).

The whole group are described in the indictment like this:

"The defendants herein, and others known and unknown, are members of, employed by, and associates of a criminal organization, hereafter referred to as "the Carder.su organization," whose members engage in acts of identity theft and financial fraud, including, but not limited to, acts involving trafficking in stolen means of identification; trafficking in, production and use of couterfeit identification documents; identity theft; trafficking in, production and use of unauthorized and counterfeit access devices; and bank fraud; and whose members interfere with interstate and foreign commerce through acts of identity theft and financial fraud. Members and associates of the Carder.su organization operate principally in Las Vegas, Nevada, and elsewhere.

Here's the list:

NAME

AKA List

Counts Charged

Roman Zolotarev

Admin, Support

1-2, 19

Konstantin Lopatin

Graf

1-2, 33, 44, 47

Alexander Kostyukov *

Temp, KLBS

1-2, 3-17

Maceo Boozer III

XXXSimone, G4, El Padrino, Mr. Right, MRDC87

1-2, 3-17

Tin-Yueng Wong

Ray Wong, Ray

1-2, 3-17

Edward Montecalvo *

N1ghtmare, Tenure44

1-2, 3-17, 22-55

Yu Feng Wang

Ibatistuta

1-2

Mohamed Amr Mahmoud

Amr Mahmoud, CC--Trader, Kengza

1-2, 20, 22-55

Jermaine Smith

SirCharlie57, FairBusinessman

1-2, 61-62

Makyl Haggerty

Wave

1-2

Aladelola Teslim Ajayi

Bank Manager, Document Manager, Corey

1-2, 61-62

Alexandru Ion

AbagnaleFrank

1-2

Jordan Georgievski

Devica

1-2

Roman Seleznev

Track2, Bulba, NCUX

1-2, 22-55

Qasir Mukhtar

Caliber

1-2, 56-60

Roy Ayad

Rabie Ayad, Patistota

1-2, 22-55

Mina Morris

Source

1-2, 22-55

Rachid Idaali

C4rd3r

1-2, 22-55

Liridon Musliu

Bowl

1-2, 22-55

Sergei Litvinenko

Dorbik, Matad0r

2

Michael Lofton

Killit, Lofeazy

1-2, 3-17

Shiyang Gou

CDER

1-2, 3-17

David Ray Camez

Badman, DoctorSex

1-2, 3-17

Cameron Harrison

Kilobit

1-2, 3-17

Aleksandar Besarovic

Qiller

1-2, 3-17

Duvaughn Butler

Mackmann

1-2, 21, 61-62

Fredrick Thomas

1Stunna

1-2

John Doe 1

Senna071

1-2, 3-17

John Doe 2

Morfiy

1-2, 3-17

John Doe 3

Gruber

1-2, 18

John Doe 4

Maxxtro

1-2

John Doe 5

Elit3

1-2

John Doe 6

Fozzy

1-2, 22-55

John Doe 7

Vitrum, Lermentov

1-2, 22-55

Andrei Bolovan

Panther, Euphoric, Darkmth

1-2, 22-55

John Doe 8

TM

1-2, 22-55

John Doe 9

Zo0mer, Deputat

1-2, 22-55

John Doe 10

Centurion

1-2, 22-55

John Doe 11

Consigliori

1-2, 61-62

While it is true that many carders are Russian, several folks on this list reside in the United States. This case, which DHS ICE calls "Operation: Open Market", has already seen 19 arrested in the United States, primarily in Las Vegas, where LOFTON, CAMEZ, BUTLER, LAMB, and VERGNETTI were arrested. (Some of those arrested are indicted separately and do not appear above.

KOSTYUKOV was arrested in Miami from his home at 1100 Washington Avenue, Miami Beach. (He sent a letter to the judge asking for his property back, including his Hookah pipe and his Dr. Dre Beats headphones.

David Ray Camez, a Nevada resident, for example, was convicted and was due to be sentenced today. (You may enjoy reading his Forfeiture document which includes ATM machines, PVC Card Embossers, dozens of phones and computers as well as printers, cameras, and video games. Camez was already serving a seven year sentence in the State of Arizona for fraud charges he was convicted of there.

Back in 2012, ICE agents announced that they had arrested 19 in the US in an operation called "Operation: Open Market."

The full Fifty-one page indictment, originally introduced in court on January 10, 2012, and finally unsealed April 10, 2014, goes on to describe additional charges and activities, sometimes in great detail. The case against "Defendant 24, Cameron Harrison, AKA Kilobit" is being tried in Las Vegas, Nevada as CASE #: 2:12-cr-00004-APG-GWF-24.

The event that triggered the unsealing of the indictment was that Cameron Harrison pleaded guilty, WITHOUT BENEFIT OF A PLEA AGREEMENT! His nineteen page guilty plea. In addition to Count One and Count Two above, Cameron plead guilty to:

Count Sixteen: Trafficking in and Production of False Identification Documents and Aiding and Abetting, in violation of 18 U.S.C. § 1028(a)(1), (b)(1)(A)(ii), and (c)(3) and 18 U.S.C. § 2.

The Sentencing Guidelines that the prosecution is asking for are HUGE because they are describing the "Total amount of actual loss involved in the offense as $50,893,166.35" which gives a +24 to the Sentencing guidelines just for the financial losses!

Base Offense Level = 7
+ 24 (offense involved more than $50 Million of actual loss)
+6 (offense involved more than 250 victims)
+2 (offense involved receiving stolen property and the defendant was a person in the business of receiving and selling stolen property)
+2 (fraud committed from outside the US, involving a sophisticated means)
+2 (fraud involving possession of device-making equipment and trafficking in unauthorized and counterfeit access devices)
-3 (Acceptance of Responsibility)

Total Offense Level = 40

Restitutions that are declared in the Plea include:

American Express = $3,299,210.90

Discover Financial Services = $2,202,429.00

Master Card = $15,496,221.00

Visa Inc. = $29,895,305.45

Total = $50,895,305.45

Because this is a RICO case, EACH member of the Conspiracy can be found responsible for the full restitution. The Indictment requests that each have $20 million of their assets seized to help cover the costs. (Most have nowhere near that amount, of course...).

Roles of the Defendants

Despite the news headlines being about Kilobit (Cameron Harrison) today, Harrison was only a "Member" of the board. Far more important members are listed below by their roles on the various Carder.su websites.

Administrator = "Roman ZOLOTAREV was the head of Carder.su.

As the head of the governing council, the administrator handles day to day management decisions of the organizatoin, as well as long-term strategic planning for its continued viability. Zolotarev was the leader of the enterprise, appointing moderators, and directing other members and associates of the enterprise in carrying out unlawful and other activities in futherance of the conduct of the enterprise's affiars. In addition, ZOLOTAREV:

determines which individuals can become and remain members of the Carder.su organization.

regulates the functions, responsibilities, and levels of access to information accorded to each member.

bestows the rewards accorded members for their loyalty to the Carder.su organization, and sets the punishments to be meted out to members evidencing disloyalty to the organization.

decides when, how, and under what circumstances to attack and to retaliate against members of rival criminal organizations and their associated Internet website forums.

has full access to, and privileges on, the computer servers hosting the Carder.su organization's websites.

has ultimate responsibility for the administration, maintenance, anonymity and security of ther Carder.su organization's computer servers

Moderators = Konstantin LOPATIN and MAXXTRO

These defendants act as leaders of the enterprise, directing other members and associates in carrying out unlawful and other activities in furtherance of the conduct of the enterprise's affairs. Moderators are members of the Carder.su organization's governing counsel. They oversee and manage one or more subject matter specific areas on the Carder.su organization's websites. Their jobs included assisting Zolotarev by:

monitoring and policing websites by editing and deleting members' posts and mediating disputes among members.

serve as Reviewers for products or services through the enterprise with which they have expertise.

Both LOPATIN and MAXXTRO possessed at least 15 counterfeit or unauthorized access devices.

Reviewers

Members are allowed to sell contraband, including counterfeit documents, stolen bank accounts, and credit card information. Reviewers examine and test products and services that members wish to advertise and sell on the websites. A favorable review is a prerequisite to to selling contraband. Any member can be appointed to do a review, although they are usually done by Moderators or the Administrator.

Vendors

Vendors advertise and sell products, services, and other contraband after receiving a favorable review.

Vendors among the defendants included:

Alexander KOSTYUKOV (Temp/Klbs) - a vendor of Cashout services. Cashout vendors remove funds from bank and credit card accounts and receive a fee between 45% and 62% of the funds received.

Maceo BOOZER (XXXSimone / G4 / El Padrino / Mr. Right / mrdc87) is a vendor of dumps. "Dumps" are stolen credit and debit card account data. They sold for between $15 and $150 per card, depending on the quantity purchased and the geographic location. United States cards are least expensive, and European cards are most expensive.

Ray WONG is a vendor of counterfeit plastic. A device-making implement used to produce counterfeit credit cards. WONG sold blank counterfeit plastic cards for $20 to $25 each, with a minimum order of 50 cards. Embossed counterfeit cards were $65 to $75 each with a minimum order of ten. Wong was also a vendor of dumps.

MONTECALVO (N1ghtmare / Tenure44) is a vendor or dumps, but also offered a dump checking service. He had the ability to validate a card against a real financial institution.

Yu Feng WANG (Ibatistuta) is a vendor of counterfeit cards, counterfeit holograms, and signature panels used to manufacture counterfeit credit cards. He sold blanks for $10-$15 each.

Mohamed Amr Mahmoud (AMR Mahmoud / CC--Trader / Kengza) is a vendor of CVV. While dumps are magnetic card stripe reads, CVVs are all of the account holder information - such as Name, DOB, SSN, address, telephone number, mother's maiden name, and the CVV2 code from the back of the card. MAHMOUD also sold Paypal accounts, Fullz (all of the above plus expiration date and PIN), and Enroll/COBs. The latter included all of the previous data, as well as username and password for the account's online access. Depending on the online balance, he would charge $140 to $200 per account.

Jermaine SMITH (Sircharlie57 / Fairbusinessman) is a vendor of plastic and counterfeit cards.

Makyl HAGGERTY (Wave) is a vendor of counterfeit identification documents and counterfeit cards. He sold counterfeit drivers license for between $100 and $200 each, depending on state, including CA, TX, WI, OH, RI, NV, PA, IL, FL, LA, AZ, HA, SC, GA, NJ, as well as BC Canada. He also sold blank counterfeit plastics and embossed cards.

ALEXANDRUION (Abagnalefrank) is a vendor of dumps. He sells 100 mixed Visa and Master Card accounts for $1,500 or 100 AmEx cards for $1,000.

Jordan GEORGIEVSKI is a vendor of counterfeit credit cards and blank plastic, as well as embossed cards for $75 each.

Roman SELEZNEV (Track2 / Bulba / Neux ) is a vendor of dumps. He sold very large volume product through an automated website where members could load their desired cards into a shopping cart. Accounts sold for $20 each.

Qasir MUKHTAR (Caliber) is a vendor of counterfeit plastics, holograms, and signature panels.

Roy AYAD (Rabie Ayad / Patistota) is a vendor of CVVs, selling through an automated website.

Mina MORRIS (Source) is a vendor of dumps. Morris had an automated website to sell dumps.

Rachid IDAALI (C4rd3r) is a vendor of Fullz.

Liridon MUSLIU (Bowl) is a vendor of CVVs.

Sergei Litvinenko (Dorbik / Matad0r ) is a vendor of Bullet Proof Hosting services and infrastructure for criminal websites. These are ISPs that allow criminals to run illegal websites used for phishing, carding forums, or dump sites.

GRUBER is a vendor of counterfeit identification documents including drivers licenses ranging from $150 to $200 each.

ELIT3 is a vendor of Fullz. He also sells Enroll/COBs.

FOZZY is a vendor of dumps ranging from $12 to $100 each, depending on quantity and location.

VITRUM (Lermentov) is a vendor of dumps.

Andrei BOLOVAN (Panther / Euphoric / Darkmth) is a vendor of dumps.

TM is a vendor of dumps and CVVs, which he sells to members through an automated website.

Members must successfully complete a number of security features intended to keep out law enforcement and rival criminal organizations. Teams use a number of Carder.su websites as "virtual clubhouses" to gather with other members in order to share information, solicit and recruit other members and to achieve the common objectives of the enterprise.

Members charged in this conspiracy include:

Michael LOFTON (Killit / Lofeazy

Shiyang GOU (Cder)

David Ray CAMEZ (Bad Man / DoctorSex )

Cameron HARRISON (Kilobit)

Alexsandar BESAROVIC (Qiller)

Duvaughn BUTLER (Mackmann)

Fredrick THOMAS (1STunna )

SENNa071

MORFIY

The Charges

Count One and Two given above deal with Racketeering:

COUNT ONE:

Acts 1 through 15 - Unlawful Trafficking In and Production of False Identification Documents